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Abstract 

The information reconciliation in a quantum key distribution protocol 
can be studied separately from other steps in the protocol. The problem of 
information reconciliation can be reduced to that of distributed source cod- 
ing. Its solution by LDPC codes is reviewed. We list some obstacles prevent- 
ing the LDPC-based distributed source coding from becoming a more favor- 
able alternative to the Cascade protocol for information reconciliation in 
quantum key distribution protocols. This exposition does not require knowl- 
edge of the quantum theory. 



1 Introduction 

The quantum key distribution (QKD) protocol invented in fl\ is one of technolo- 
gies nearest to practical realization among various quantum information process- 
ing technologies. The goal of a QKD protocol is to share a common random 
string, called key, between two legitimate users Alice and Bob secretly from the 
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eavesdropper Eve. Alice and Bob can use an authenticated public classical chan- 
nel between them to achieve the goal, but Eve can see all the contents in the 
public channel. In addition to this classical channel, there is a quantum channel 
between Alice and Bob over which quantum objects are transmitted from Alice 
to Bob. Observe that this is a quantum extension of the model CW introduced by 
Ahlswede and Csiszar IfTSl Section 9.2] with the classical noisy channel replaced 
by the quantum noisy one. 

As categorized in [|26J . a QKD protocol can usually be divided into four steps: 

1. Quantum transmission and reception: Alice transmits randomly chosen quan- 

tum objects to Bob. Bob measures received objects by a randomly chosen 
measurement method. After this step, Alice and Bob have classical bits of 
the same length. The remaining steps in a QKD protocol are purely classical 
information processing, and all the processed data are classical. 

2. Channel parameter estimation: Alice and Bob publicly announce parts of 

transmitted objects and measurement outcomes. From announced data, they 
estimate the channel parameters between them. Usually, part of parameters 
remains unknown. Remaining parts of Alice and Bob's bits are used for 
generating secret key. 

The surprising feature of the quantum theory is that (quantum counterpart 
of) the joint probability distribution among Alice, Bob and Eve can be de- 
termined from the channel parameter only between Alice and Bob, which 
cannot be done within the classical secret key agreement. 

3. Information reconciliation: Alice and Bob make their bits identical by con- 

versation over the public channel. 

4. Privacy amplification: Alice and Bob shorten their bits by multiplying a bi- 

nary matrix to their identical bits. The resulting shortened bits are almost 
statistically independent of all the information possessed by Eve, which in- 
cludes the conversation between Alice and Bob over the public channel. 

Note that the third and fourth steps are essentially the same as the information 
theoretically secure key agreement introduced by Maurer, Ahlswede, and Csiszar 
IfTSl Chapter 9]. Thus, many parts of this exposition are also relevant to the infor- 
mation theoretically secure key agreement. 

Traditional security proofs for QKD protocols, for example ll28l . combines 
the information reconciliation and the privacy amplification. Because of that, 
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we could not study the information reconciliation in QKD protocols separately 
from the privacy amplification, for example, we could not investigate what kind 
of the information reconciliation was suitable without considering the privacy 
amplification. This situation was reversed by the several new security proofs 
|[IIl[Il[l3l[Il[l9ll2Qll25ll26ll27l[3ll, which enabled us to study the infor- 
mation reconciliation in QKD protocols without considering other steps in 
QKD protocols. 

The purpose of this exposition is to introduce the problem of information rec- 
onciliation in QKD protocols in a form accessible to coding theorists without 
background in the quantum theory except footnotes and to clarify what kind of 
problems arises in LDPC codes used for information reconciliation. This exposi- 
tion is organized as follows: Section[2ldescribes the problem statement and briefly 
reviews the relevant research results. Section [3] reviews the Slepian-Wolf coding 
|[6, Section 15.4] and its relation to the information reconciliation. Section Hire- 
views a solution by LDPC matrices and lists the problems whose solutions are 
wanted (by this author). Section [5] gives a conclusion. 

2 Problem statement 

We assume that physical objects with two-dimensional state spaces are transmit- 
ted in the QKD protocols. This assumption is valid in one of several common 
realization of QKD protocols. Another common realization of QKD protocols 
uses infinite-dimensional objects [9]. Information reconciliation in such a case 
is discussed in ^ [161 [l2l UM- The information reconciliation in the infinite- 
dimensional case seems more challenging than the two-dimensional case. 

After the channel parameter estimation, Alice has an n-bit binary string X" — 
{Xi, . . . , Xn), Bob has F" = (Fi, . . . , F„), and they know an estimate of the joint 
probability distribution Pxy assuming that {Xi, F/) are i.i.d. for all z = 1, . . . , n. 
The goal of the information reconciliation is for Bob to produce a string X" by 
(possibly two-way) conversation with Alice over the public channel. The entire 
content of their conversation depends on X" and Y'\ and c{X'\Y") denotes the 
entire conversation. The desirable properties of the information reconciliation are 

• Make Pr[X" = X"] sufficiently close to one. 

• Make the mutual information /(X";c(X",F")) as small as possible. 

The reason behind the second property is that we must subtract I{X";c{X",Y")) 
bits from the length of the final secret key O |23, because /(X";c(X",F")) is 
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Figure 1 : Asymmetric Slepian-Wolf coding 



the amount of information leaked to Eve during the conversation over the public 
channel. Note that decreasing I{X";c{X'\Y")) is totally different from decreas- 
ing the number of bits in the conversation c{X",Y"). For example, the famous 
information reconciliation protocol Cascase [13l|29l exchanges many bits between 
Alice and Bob, while keeping /(X"; c(X", Y")) relatively small. 

We restrict ourselves to the one-way conversation, that is, only Alice sends 
information to Bob and Bob sends nothing to Alice0. In the one-way conversa- 
tion, c(X",y") is a function of X'\ denoted by c(X"). We have /(X";c(X")) < 
H{c{X")) < the number of bits in c{X"). We can find a good information recin- 
ciliation method by saving the number of bits in c{X") while enabling Bob to 
decode X" from c{X") and 7". This is a kind of data compression problem, called 
the Slepian-Wolf problem. So we shall review it in the next section. 



3 Slepian-Wolf coding 

A simplified version of the general Slepian-Wolf problem [6, Section 15.4] is 
given in Figure [T] The main information X" is statistically correlated with the side 
information Y'\ The encoder (data compressor) can only use X" for generating 
the codeword (compressed data) /sw(^") of some fixed length m. On the other 
hand, the decoder (decompresser) can use both /sw(^") and Y". 

If Y" is unavailable by the decoder, the compression rate m/n must be > H{X) , 
the entropy ofX", in order for the decoding error probability Fr[X ^ X"] to be neg- 
ligible. The availability of 7" improves the optimal compression rate to H{X\Y) 
from H{X). The encoder and the decoder are assumed to know (a good estimate 

^Although the Cascade ||3]|29l does not asymptotically yield more key, it is also known that use 
of two-way conversation increases the amount of key LS, t33J, which are quantum counterparts of 
the two-way conversation over the public channel proposed in ||2TI . but we do not discuss the two- 
way conversation here, because the information reconciliation with two-way conversation seems 
rarely used. 
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of) the joint probability distribution Pxy, and they are usually optimized for a par- 
ticular PxY- This special form of the Slepian-Wolf coding is called asymmetric 
Slepian-Wolf coding [lOJ, because the roles of X and Y are asymmetric at the 
decoder. 

We return to the information reconciliation. Recall that Alice has X" and Bob 
has y". If Alice sends the codeword fswiX"), then Bob can recover X" with 
high probability by the Slepian-Wolf decoder and 7". The amount of information 
leaked to Eve is estimated as /(X";/sw(^")) < ^(isw(^")) < the number of bits 
in /sw(^")- Thus, if the compression rate is betteo then the upper bound on the 
leaked information is smaller. 

4 Use of LDPC codes and open issues 

The application of LDPC codes to the Slepian-Wolf coding with full side informa- 
tion can be done as follows [EKTS] . Let M be an m x n sparse matrix, and X" be the 
source information. The codeword /sw(^") is MX". Decoding of X" given MX" 
and Y" can be done by the sum-product (belief propagation) algorithm over the 
Tanner graph of M. The difference to the channel decoding by the sum-product 
algorithm over the binary symmetric channels is as follows: 

• Y" can be regarded the received word with the transmitted worc^ X" over 
the channel Py\x with exception that the syndrome of X" is not the zero 
vector but MX". 

• While the generation of messages from a check node assumes the parity of 
the bits is always zero in the channel decoding, the parity of a check node 
in the Slepian-Wolf decoding is determined from MX". 

• The initial log-likelihood ratio at a variable node Xi is determined from P^jy 
and Yi in the Slepian-Wolf decoding. 

Under the maximum likelihood decoding, the sparse matrix is shown to asymptot- 
ically achieve the optimum compression rate [23 1. The use of sparse matrices for 

^Strictly speaking, the use of the Slepian-Wolf coding and the simple minimization of the 
number of bits in fs\^{X") neglect the optimization of the auxiliary random variables U and V in 
ll26l . which are the quantum counterparts of U and Q in ITSl Theorem 9.2]. 

^It is also possible to regard that the concatenation of X" and MX" is the transmitted word. See 
IfTOl for more detail. 
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information reconciliation as Slepian-Wolf encoders seems to be first considered 
by Muramatsu [|22ll . 

As a consumer of LDPC matrices for the information reconciliation, there are 
at least the following problems. 

1 . For a given distribution Pxy, an optimized matrix M is not available (on the 
Internet). A consumer has to find an optimized matrix by himself using the 
density evolution or its alternative. 

2. It is convenient to have a single matrix M and puncture (or shorten) M for 
various different rates H{X\Y). 

3. For a fixed compression rate R, there are infinitely many distributions Pxy 
such that H{X\Y) = R, when we do not assume that Y" is the output of a 
binary symmetric channel^ with the input X'\ It is convenient to have a 
single nRx n matrix M such that the encoder by M yields small decoding 
error probability with all the distributions Pxy with H{X\Y) ~ R. 

Problem [H can be solved by a slightly modified version of the density evolu- 
tion. Under the assumption that Y is the output of a binary symmetric channel, 
good sparse matrices were found by Elkouss et al. [7J. The codes in [7J outper- 
form the Cascade [[31 HH, which seems the most popular method for the informa- 
tion reconciliation in QKD protocols when this exposition is written. Thus, the 
use of LDPC matrices looks promising for QKD protocols. 

Problems |2] and |3] are large disadvantages compared to the Cascade (31 |29l . 
because the Cascade is in a sense universal and we do not have to adjust it to 
different Pxy- In order for the LDPC method to become more favorable as an 
alternative to the Cascade in the QKD application, these problems may have to be 
solved. 

Problem [2] was considered by Varodayan et al. [[301 , in which an accumulator 
is serially connected to an LDPC encoder. However, the performance is still a bit 
distant from the theoretical optimum, and there seems to be a room for improve- 
ment. Several other solutions have been proposed and can be found in [[TOl . 

Although Coleman [|4l provided a Shannon theoretic solution to Problem |3] 
with the expander code and the minimum entropy decoder by the linear program- 
ing, an efficient solution has not been provided as far as the author knows. 

^Be careful that some security proofs cannot take advantage of the nonzero difference between 
conditional probabilities ^V|a:(1 |0) ^i^^ A'|x(0| !)■ References lilT[[T2|[25l[26l[27l are known to be 
capable of utilizing this difference in order to improve the compression rate in the Slepian-Wolf 
coding, as pointed out in |f32l Remark 1 ] . 
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5 Conclusion 



The standard error-correction scheme, such as LDPC codes and turbo codes, 
seems less popular than the Cascade protocol O] |29l for the information recon- 
ciliation in quantum key distribution protocols. The author guessed the difficulty 
in selecting optimized codes as the reason for its unpopularity, and gave three 
specific difficulties. 
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